The answers

In this section I'll present my answers on the stated questions in an easy-readable
fashion. In the section The analysis I've discussed things
more in-depth.

What is the operating system of the honeypot? How did you determine that?

The honeypot runs SunOS 5.8 (Solaris 8) on a Sun Ultra. I determined this in a
few ways:

ICMP destination (port) unreachable packets were sent back to systems doing NMB queries
to UDP port 137. Most Windows-based systems would be listening on this port. Therefor,
this system is very likely not a Windows-machine.

Secondly, the daemon running on port 6112 sent "zoberius:SunOS:5.8:sun4u" to the
connecting system. Very likely this is "<hostname>:<OS>:<OS-version>:<architecture>".
I looked up port 6112: dtscpd, which comes with CDE. Default Solaris 8 installs with
X installed run this.

Thirdly, there was some exploitcode sent to 'dtscpd'. The NOP-padding "801c 4011" are
Sparc-NOPs. This was discussed in the winning paper of SotM #20.

Using an exploit for a bufferoverflow in the Subprocess Control Server (dtspcd) daemon running
on the honeypot. The CERT advisory can be found here.

Which systems were used in this attack, and how?

61.219.90.180 (Taiwanese address). From this system the honeypot was cracked using an exploit for dtspcd. There's also been
a connection from this system to a root shell bound on port 1524 to install a rootkit

62.211.66.16 (tin.it, Italian). From this system 'wget', 'dlp', 'solbnc' and 'ipv6sun' are downloaded.

62.211.66.53 (tin.it, Italian). From this system 'sol.tar.gz' is downloaded with the above 'wget'. This file contains a rootkit.

80.117.14.44 (tin.it, Italian). A system in an ADSL IP-pool, possibly and likely the home IP-address of the attacker.

Create a diagram that demonstrates the sequences involved in the attack